Froxlor CVE-2026-41233

EUVD-2026-25188 MEDIUM

Incorrect Authorization (CWE-863)

2026-04-23 GitHub_M

Authentication Bypass

5.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Apr 23, 2026 - 07:02 vuln.today

Patch available

Apr 23, 2026 - 06:16 EUVD

DescriptionNVD

Froxlor is open source server administration software. Prior to version 2.3.6, in Domains.add(), the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customers_see_all permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota (since the wrong admin's domains_used counter is incremented) and potentially exhausting another admin's quota. Version 2.3.6 fixes the issue.

AnalysisAI

Froxlor versions prior to 2.3.6 allow authenticated resellers to bypass domain quota restrictions by attributing newly created domains to arbitrary admins through unvalidated adminid parameter input in the Domains.add() function. This vulnerability enables quota exhaustion attacks against other administrators and domain creation beyond the attacker's assigned limits, with confirmed patch availability in version 2.3.6.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41233 vulnerability details – vuln.today

Back